Report: Microsoft Monopoly Puts Computing at Risk

Microsoft has a virtual monopoly on the desktop, and that puts networks, and
indeed computing at large, at grave risk. At least that's the claim of the authors
of a paper released today that says "the goal must be to break the monoculture,"
a new term to describe Microsoft's operating system monopoly.

The report is titled "Cyberinsecurity: The Cost of Monopoly", and
its authors include some well-known names in the IT security field, such as
Bruce Schneier of Counterpane Internet Security, and Daniel Geer of the security
firm @stake.

The seven authors held a Wednesday morning conference call with reporters.
Geer went so far as to state he was staking his professional reputation on the
report. "There is a matter of competition policy and security policy that
cannot be ignored any longer," he said. "It isn't any one factor,
but a combination of factors that make this important. It's the nature of the
platform that dominates every desktop everywhere. Its dominance, coupled with
its insecurity, can't be ignored any further."

Another of the authors, security consultant Perry Metzger, said the problem
is that there is "a gigantic susceptible population of machines. You can
do awful things to vast numbers of machines. Whether or not the vendor is trying
to protect the systems, with such a huge number of machines, any vulnerability
can be spread to huge numbers" of computers.

The report was issued by the Computer and Communications Industry Association
(CCIA), a long-time Microsoft nemesis which counts among its members America
Online, Oracle and Sun. It's also been involved in the anti-trust lawsuits against
Microsoft. The authors said they weren't influenced by CCIA's anti-Microsoft
stance, but the report's introduction, written by CCIA, is a harshly-worded
broadside against Redmond. "Microsoft's efforts to design its software
in evermore complex ways so as to illegally shut out efforts by others to interoperate
or compete with their products has succeeded The presence of this single,
dominant operating system in the hands of nearly all end users is inherently
dangerous," it states.

The report's authors are equally scathing. "Most of the world's computers
run Microsoft's operating systems, thus most of the world's computers are vulnerable
to the same viruses and worms at the same time. The only way to stop this is
to avoid monoculture in computer operating systems Microsoft exacerbates
this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society,"
the report states.

A number of authors argued the problem isn't necessarily the security or insecurity
of Microsoft products themselves, but rather their pervasiveness. As Metzger
said, "If every machine on earth ran Mac OS X, it would be the same problem."

Schneier went even further. "I wouldn't put any of the blame on Microsoft The
problem won't be fixed based by the altruism of Microsoft, but by businesses
saying this is a problem and we're going to fix it."

While the authors spent a great deal of time describing what they see as the
problem, they offered little in the way of possible solutions. "We're speaking
as scientists, not as policy people. We understand there are lots of political
ramifications to this," Schneier said. Several authors suggested that government
would have to have a leading role in any remedy of the problem, but again, no
concrete solutions were offered.

The consensus, however, was that more OS diversity was needed. "Having
diversity is necessary. It's not [all] sufficient by any means, but necessary,"
said one. One area the authors declined to discuss was the server/datacenter
environment, which is diversity-rich, and where Microsoft doesn't even have
a majority, let alone a monopoly, of the operating systems in use.